From 740bc8495bcc454b9d914ac7f46b0f30aefa1473 Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Fri, 5 Jul 2024 14:30:41 -0400
Subject: [PATCH] set up sops for jeevesjr

---
 systems/jeeves-jr/docker/web.nix | 15 ++++++++++++---
 systems/jeeves-jr/secrets.yaml   |  8 +++++---
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/systems/jeeves-jr/docker/web.nix b/systems/jeeves-jr/docker/web.nix
index 31349eb..f092fd8 100644
--- a/systems/jeeves-jr/docker/web.nix
+++ b/systems/jeeves-jr/docker/web.nix
@@ -1,3 +1,4 @@
+{ config, ... }:
 let
   vars = import ../vars.nix;
 in
@@ -7,7 +8,7 @@ in
       image = "ubuntu/apache2:latest";
       volumes = [
         "${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
-        "/ZFS/Main/Mirror/:/data"
+        "${vars.main_mirror}:/data"
       ];
       ports = [ "800:80" ];
       extraOptions = [ "--network=web" ];
@@ -20,7 +21,7 @@ in
         TZ = "Etc/EST";
       };
       volumes = [
-        "${vars.main_docker}/jeeves-jr/haproxy/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
+        "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
         "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
       ];
       dependsOn = [ "arch_mirror" ];
@@ -33,10 +34,18 @@ in
         "tunnel"
         "run"
       ];
-      environmentFiles = [ "${vars.main_docker}/jeeves-jr/cloudflare_tunnel.env" ];
+      environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
       dependsOn = [ "haproxy" ];
       extraOptions = [ "--network=web" ];
       autoStart = true;
     };
   };
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets = {
+      "docker/cloud_flare_tunnel".owner = "docker-service";
+      "docker/haproxy_cert".owner = "docker-service";
+    };
+  };
+
 }
diff --git a/systems/jeeves-jr/secrets.yaml b/systems/jeeves-jr/secrets.yaml
index 1d3c237..fdd44c4 100644
--- a/systems/jeeves-jr/secrets.yaml
+++ b/systems/jeeves-jr/secrets.yaml
@@ -1,4 +1,6 @@
-hello: ENC[AES256_GCM,data:y98ZcYZQSYP8GBFysKvD292lU1EPa0o/wV7EHPLelIIHl8bWE5Lz27KUsCnzNQ==,iv:zU9zBeNyAyiLs30ftxrATG/X/U7Z7euLqjDKmg0Lh7Y=,tag:MG61sKRBEvE7T/oWO3rGpA==,type:str]
+docker:
+    cloud_flare_tunnel: ENC[AES256_GCM,data:E+XYu5AxS8Ew9OVIfbH5gLkMk+rZ4yT96tSGAwL4smedkddoevRnqil78LtFNYKV8Zo3MpuA8q/c4Me0KrrlSAvwJz1T2cev0dKnuTei3MHZxK7RwWYo9UMJH+aV+l343OY9nvGBj6ryTM3wKyUIoqSmOnRCAbYmhkkqN0wFO+Mxxqjw6nf5UEeeKb36k2NwlhjjnscOKe+wo3sXhjjzVXrE3IOUQJM3hWWukMElcYewVgJmstRidKiNCRMi1/UYMk/Nfhk=,iv:yFJ5SbHB3wZ0FEF0k9KrWye55ref7OqbQPd8oMLTmH4=,tag:p3K4yGR6X2+uKIj4H6rZ+g==,type:str]
+    haproxy_cert: ENC[AES256_GCM,data:1n2BurHeWI+j7CMQ7qk3DUl+8MgqRsgtYQ1TxJKcPXuz0YBkg6SUp95lPZv6Jo+2OIaVxCoWpiuoLp8YgtJgnZo4S9QVG2qi60sWCSf4acMRSg0hIA/pdcslogZc5LrsBOTINZCODE4mz7Bya42f+RfVfwPGT7Buz8MniW6kfT9cr3iuq+BQc6513sHhDHgZJgwdfP5x9XrwEtaBl41Db7ejGTrza9jtsHqkrD8j3Pf1XJDhACrTeB7Uqh68sjwc2giAc/2bInDayvnKFHqHaLFTUMAbCeMPOiEZSK4UaWrSMk5I5wDVu8Ya8nBostHlPOBT06gFxT13aEe3Ox3/ctBm/83BXhFfjEaYy6AbMhbp29nxUogVjMICs3FiHG3XBz7vsVxxcBvLXp1Bw3ml5Vd7ACKQPe+r1T54aIdYMoab8DhKPMqb/6TQwrhWD3je4wwOHzzQq9psE1hlB2lJsRnAsVAy9a7M5aBpj0v2pCPVjxjkGHqUUgN+w4hzPPf10A0dWiaXc3k8bWcwc1SlJwHvYxphyZEjNQAzXrAkUPcuy4+9c7LwniMdu5qoUL/oZPW5VHWgtrUO9IlAgduiEujrAW96zfz4jfM0UBqJHT58l/WHHmBM8bMsRDHTnc43uvdoU+VgjtTiFERBi+Xm5mXCqWd4d5Y5P8ozIwGho8UdLqmR9Y2nth1mrs//FIh9mZ7i7QQGHBzoR7ICRDX2ghK98J4RMfF2ph0I+nhWpoCq056xItoVZyAEWQSR4ptpAaKMX4Crd3hrK6tZmyvaTrk5IsNaf5hrS+Fw8uTYUAM+3E6kb1TJwFvUH1plkwU83iBRlboRO5d1ahESp5nifZIVz+KBStLjUVWfXnelPCkH55LVnobgk0zekoEeNLKq+Q5wOBmR28rYXVp/q+FNCgxEW+tXIswmC72jbsDxM/oMHBQnYsmEy5dTxU2X/IzmrZfWod07fRblkWRplzLGyEjsY7CquHlG119LuHcWFOUGxYm3bgn1pGnIV3cBLvbInEAPK0apqSXMBSJw0mk/ihtdx8ANidMn8nhkHVjo/Bo9orH3tJdw8l7x+Cei347CkiQZz21jHvL1qcV/EAAxBnT4c5WtOljo13ntk8RiARdye4hcUXpORIUhH8zq88RNquOkF5QjV8C/u2EaUhQYqy3Xts49v7S9I8LLzjrrfY/IDQVqlJsAgkNuwvheTlya5JoeTasscLfLt3iJ7LsbzWWqQrfn3KQJp3H4Gxh/uqak/V5ROBahHQ4KpXzsDG++XLE0o7W4BFQbrBYV99mlGzB1blmX30C8S+b8n1u+oMXfH8oY20Jm5UQcV5/JNK8WG69ihonRDXdX7fy2WGzylql2hj+3aoYYdYpFAeHVLNzj9vAIxPHzvK0JmwdynsFLo4Hpyn7KN+6L3MSACjAOc3SxY20XxjmqJSWVEM0tq4Zbe/VdhOF1L4pyIBMKQC2XwrWyturTboh86qAfyxtYzEQXGLzz585nVnwj9PLmXQw98M8JWwsFq58ZsOdQZKhN3e0aSY2opSigmXQ9ZJeCF+6KbwElOSz4pDfkZIXqZc+LCzEl5IO1CxLWCTIIfN3Gx60W3vz8QohydoCBt2FLHH3lBiAEitWxYQhsfdlFExQa1/+0WSk3wK5dEA7SPaBWKq+xtPR0yUmuT/JN4VPX+hqqkVHigk8+XfqE/H1as9JbYo92N6xBd2ZrNzhFIkMykUOT+0etVtyOdXLkxdV9lwaBX9ARPHJV7g35e52UspX335aLGE0GtCaIbHRwJuENCIixo7sbdmB9i9xSTeg+7RBQAWpuR7O6firAEKWOGBaYzDUBnqt++Q2wUuMnQBJE/9bh,iv:3FuXEQxbTvbdnBnwPxF+T8QZvQoWX/WXx3lpDBXML1k=,tag:g1Y4qY+XoSA6K/LCKbllOw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +16,8 @@ sops:
             QmcxMmhaaGZXU1VFN0pvT1VDN3hpcGsKXUlVytBrz8sUorTSHXZaOMYA5U6qUpas
             ZJiHtVGxRVwCpraHWLmQTRkO6pT36cEVsfsMnFH6NLOMOvA3vLX8/g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-29T20:01:04Z"
-    mac: ENC[AES256_GCM,data:9tUmPHyKY42lT1EfbDK7Es9MIdiR5A0rs/ST89baJMANGIN+oKQzkzDujG2WM8hxvgApl/GuIdy5ZBNZlUM0iYxFUd2a0UBDyjw+xTzWIuQr2/TuI8/cOgp04Kk+M9wNlLzE/dJAXsaqBo0EaHpfwKo/3/J53UfiIZrOtAZv+Qg=,iv:E79aJdvhkG2PfsO06QQa2Pzs3yiSHDARpZtM+uxiZJE=,tag:UwEcwBm22Ep2U2mhDgpQ0w==,type:str]
+    lastmodified: "2024-07-05T18:26:01Z"
+    mac: ENC[AES256_GCM,data:sLVSN3FGbK5KorwoSzX4GwGPvGKgOR7g1g+RdLAVX4KjAeORaeSz5S84HjLYKehRUfdGjoJ+9hwF6hxWTpilUNqcg2GQFEJFVSmlGtzi6MGAy19qKPKfTPb4r+PD+BC+EnlAkq4t3sUhPLRL2Cb1IJ7wbg7QM5xXTBkRz8vscW8=,iv:XhIHzFrnsbLd6VxJfgqQoksvx/cWNRAPZkDqCwVwcEY=,tag:JY6F5JjRsh2IHiBjIH0BrA==,type:str]
     pgp:
         - created_at: "2024-03-23T05:49:12Z"
           enc: |-